Azure Virtual Machines Forensics & Incident Response

2 min readAug 15, 2023

Welcome to the next video in our series on Cloud Forensics and Incident Response: Azure Virtual Machines.

Virtual Machines

Azure Virtual Machines (VMs) are a cloud computing service from Microsoft that enables users to create, configure, and manage virtual machines in the cloud. VMs can be created from pre-configured images or from scratch and can be configured to run a variety of operating systems and applications. Azure VMs are available in a variety of sizes and can be scaled up or down to meet changing computing needs.

Azure provides the functionality to export the disk images of Virtual Machines in VHD format for forensic analysis. This can be done by selecting the disk, then selecting Create Snapshot. This can also be done on the command line using the az snapshot create command:

az snapshot create - name
 - resource-group
[ - accelerated-network {false, true}]
[ - architecture {Arm64, x64}]
[ - copy-start {false, true}]
[ - disk-access]
[ - disk-encryption-set]
[ - edge-zone]
[ - encryption-type {EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformAndCustomerKeys, EncryptionAtRestWithPlatformKey}]
[ - for-upload {false, true}]
[ - hyper-v-generation {V1, V2}]
[ - incremental {false, true}]
[ - location]
[ - network-access-policy {AllowAll, AllowPrivate, DenyAll}]
[ - no-wait]
[ - public-network-access {Disabled, Enabled}]
[ - size-gb]
[ - sku {Premium_LRS, Standard_LRS, Standard_ZRS}]
[ - source]
[ - source-storage-account-id]
[ - tags]